Users of electronic services are usually authenticated with secret passwords. For example, a user can log on to a corporate network using his password. Then, the user can check his Internet e-mail account by verifying his identity with a different password. Similarly, a device, such as a computer or a Personal Digital Assistant (PDA), can prompt the user for a password before allowing access to the device.
When a password is requested, the input area for the password is generally referred to as a prompt. Most prompts include a user identifier (ID) or handle, and a password. Prompts can include various other graphics, such as corporate logos, and various other input fields.
A malicious attacker can simulate the appearance of other entities' prompts by copying them. If a user is presented with such a copycat prompt, the user may not be able to easily recognize the prompt as not authentic. This can lead to the user's password being captured by the attacker.